Abstract
We review the academic literature on “cyber risk” and “cyber insurance” in the fields of business (management, economics, finance, risk management and insurance) and actuarial science. Our results show that cyber risk is an increasingly important research topic in many disciplines, but one that so far has received little attention in business and actuarial science. Business research has documented the manifold detrimental effects of cyber risks using event studies and scenario analyses, while economic research is especially concerned with trade-offs between different risk management activities. Quantitative research including papers published in actuarial journals mainly focuses on loss modelling, especially taking dependencies and network structure into account. We categorize the empirical literature on cyber risk to filter out what we know on the frequency, severity and dependence structure of cyber risk. Finally, we list open research questions which demonstrate that cyber risk research is still in its infancy and that there is ample room for future research.
Similar content being viewed by others
Notes
As shown in “Appendix A”, research on cyber risk and cyber insurance was scarce until 2010, but since then it has grown exponentially, emphasizing the increasing practical and academic relevance of the topic. We also note a number of working parties studying cyber risk from a more applied perspective for professional organizations, such as the Society of Actuaries (SOA), the International Actuarial Association (IAA) or the Canadian Institute of Actuaries.
The selection of journals in management, finance and economics is based on the journal ranking of the German Academic Association of Business Research (VHB-Jourqual 3; see https://vhbonline.org/vhb4you/vhb-jourqual). The journals are presented in alphabetical order.
The only exception is the Geneva Papers on Risk and Insurance which published a special issue on cyber risk in 2018 and will publish another special issue this year.
The search strategy certainly has limitations, so our selection of papers should not necessarily be considered comprehensive. One example is that articles that do not contain the words “cyber risk” or “cyber insurance” in the title, abstract or key words are not included in the list. One example is the often-cited article on data breaches by Romanonsky et al. [66]. Still the selection of papers should provide a good overview of research in the different fields.
Bai [5] focuses on sentiment analysis from online texts and is the only one in the set of 40 articles that is just loosely related to the topic of cyber risk. The author proposes a Markov blanket model to capture dependencies among words and provide a vocabulary for extracting sentiments. The advantages of their approach compared to other state-of-the-art algorithms for sentiment analysis is illustrated in two applications (online movie reviews, online news). The article is included in the review, because the authors position their tool not only to gauge online customers' preferences for economic or marketing research, but also for detecting cyber risk and security threats.
They also show that stock prices of information security providers increase on average in value by 1.36% or US$1.06 billion after the announcement of another company’s security breach.
Other analyses on related topics are Srinidhi, Yan and Tayi [75]; Johnson, Böhme and Grossklags [49] and Pal et al. [62]. Srinidhi, Yan and Tayi [75] show that cyber insurance has the effect of reducing managers' overinvestment in specific security-enhancing assets. Johnson, Böhme and Grossklags [49] present security games with market insurance. Pal et al. [62] ask whether cyber insurance can improve the security in a network and show that in equilibrium insurers cannot make more than zero expected profits, again questioning the insurability of cyber risk.
Romanosky [64] provides a first attempt to quantify the costs of cyber events considering US data from Advisen; he mainly presents descriptive statistics that can be used to validate and verify the plausibility cyber loss estimates; moreover, he presents a logistic regression model to analyze the costs of cyber events, but for data breaches only. Furthermore, a few industry studies exist (NetDilligence [59]; Ponemon [47]) that also are of descriptive nature.
Another related modelling paper is Eling and Loperfido [27] who consider the PRC dataset and use multidimensional scaling and goodness-of-fit tests to analyze the distribution of data breach information. The results show that different types of data breaches need to be modeled as distinct risk categories. For severity modeling, the log-skew-normal distribution provides promising results. The findings add to the discussion on the use of skewed distributions in actuarial modeling (Vernic [30]; Bolancé et al. [12]; Eling [25]) and provide insights for actuaries working on the implementation of cyber insurance policies.
The largest cyber loss has been WannaCry which resulted in a US$8 billion economic loss (Gallin [38]). Mahalingam et al. [53] illustrate that for an event to have an impact on the capital market, at least an economic loss of US$1 trillion (or at least 1–2% world GDP) is necessary. This extreme magnitude that is necessary to create a systematic impact is very likely also the reason why event studies for other catastrophic events come to more mixed and inconclusive results.
References
Anderson R, Moore T (2006) The economics of information security. Science 314:610–613
Ashby S, Buck T, Nöth-Zahn S, Peisl T (2018) Emerging IT risks: Insights from German banking. Geneva Pap Risk Insur Issues Pract 43:180–207
Augsburger-Bucheli I, Bangerter E, Brunoni L et al (2017) Forschung zu Cyber-Risiken in der Schweiz. Bern. https://www.isb.admin.ch/dam/isb_kp/de/dokumente/themen/ncs/Expertenbericht_forschung.pdf.download.pdf/Expertenbericht_forschung.pdf
August T, Dao D, Kim K (2019) Market segmentation and software security: pricing patching rights. Manage Sci 65:4575–4597
Bai X (2011) Predicting consumer sentiments from online text. Decision Support Syst 50:732–742
Bandyopadhyay T, Mookerjee V, Rao R (2009) Why IT managers don’t go for cyber-insurance products. Commun ACM 52:68–73
Bentley M, Stephenson A, Toscas P, Zhu Z (2020) A multivariate model to quantify and mitigate cybersecurity risk. Risks 8:61
Berliner B (1982) Limits of insurability of risks. Englewood Cliffs, New Jersey
Biancotti C (2017) The price of cyber (in)security: evidence from the Italian private sector. In: Bank of Italy occasional paper
Biener C, Eling M, Wirfs JH (2015) Insurability of cyber risk: an empirical analysis. Geneva Pap Risk Insur Issues Pract 40:131–158
Böhme R, Kataria G (2006) Models and measures for correlation in cyber-insurance. Boston. https://www.econinfosec.org/archive/weis2006/docs/16.pdf
Bolance C, Guillen M, Pelican E, Vernic R (2008) Skewed bivariate models and nonparametric estimation for the CTE risk measure. Insur Math Econ 43:386–393
Campbell K, Gordon LA, Loeb MP, Zhou L (2003) The economic cost of publicly announced information security breaches: empirical evidence from the stock market. J Comput Secur 11:431–448
Cartagena S, Gosrani V, Grewal J, Pikinska J (2020) Silent cyber assessment framework. Br Actuarial J 2020:25
Cavusoglu H, Mishra B, Raghunathan S (2004) The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers. Int J Electron Commerce 9:69–104
Cebula J, Young L (2010) A taxonomy of operational cyber security risks. Carnegie Mellon, https://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9395
Ceross A, Simpson A (2017) The use of data protection regulatory actions as a data source for privacy economics. In: Tonetta S, Schoitsch E, Bitsch F (eds) Computer safety, reliability, and security. Springer International Publishing, Cham, pp 350–360
Daffron J, Ruffle S, Andrew C, et al (2019) Bashe attack: Global infection by contagious malware. Cambridge Centre for Risk Studies, Lloyd’s of London and Nanyang Technological University. https://www.lloyds.com/news-and-risk-insight/risk-reports/library/technology/bashe-attack
Dal Moro E (2020) Towards an economic cyber loss index for parametric cover based on IT security indicator: a preliminary analysis. Risks 8:45
de Smidt G, Botzen W (2018) Perceptions of corporate cyber risks and insurance decision-making. Geneva Pap Risk Insur Issues Pract 43:239–274
Dejung S (2017) Economic impact of cyber accumulation scenarios. Swiss Insurance Association SVV Cyber Working Group, Zürich. https://www.vvb-alumni.de/wp-content/uploads/2020/03/Economic_impact_Cyber_loss_accumulation_scenarios_SVV.pdf
Dondossola G, Garrone F, Szanto J (2011) Cyber risk assessment of power control systems—a metrics weighed by attack experiments. In: 2011 IEEE power and energy society general meeting, pp 1–9
Edwards B, Hofmeyr S, Forrest S (2016) Hype and heavy tails: a closer look at data breaches. J Cybersecur 2:3–14
Egan R, Cartagena S, Mohamed R et al (2019) Cyber operational risk scenarios for insurance companies. Br Actuarial J 2019:24
Eling M (2012) Fitting insurance claims to skewed distributions: are the skew-normal and skew-student good models? Insur Math Econ 51:239–248
Eling M, Jung K (2018) Copula approaches for modeling cross-sectional dependence of data breach losses. Insur Math Econ 82:167–180
Eling M, Loperfido N (2017) Data breaches: goodness of fit, pricing, and risk measurement. Insur Math Econ 75:126–136
Eling M, Schnell W (2020) Extreme cyber risks and the nondiversification trap. Working Paper University of St. Gallen. https://www.alexandria.unisg.ch/260004/
Eling M, Schnell W (2016) What do we know about cyber risk and cyber risk insurance? J Risk Financ 17:474–491
Eling M, Schnell W (2019) Capital requirements for cyber risk and cyber risk insurance: an analysis of solvency II, the US Risk-based capital standards, and the swiss solvency test. N Am Actuarial J 2019:1–23
Eling M, Wirfs J (2019) What are the actual costs of cyber risk events? Eur J Oper Res 272:1109–1119
Eling M, Zhu J (2018) Which insurers write cyber insurance? Evidence from the US property and casualty insurance industry. J Insur Issues 41:22–56
Fahrenwaldt MA, Weber S, Weske K (2018) Pricing of cyber insurance contracts in a network model. ASTIN Bull J IAA 48:1175–1218
Falco G, Eling M, Jablanski D et al (2019) Cyber risk research impeded by disciplinary barriers. Science 366:1066–1069
Long Finance (2015) Financing the transition: sustainable infrastructure in cities. Z/Yen Group, London. https://www.longfinance.net/media/documents/Financing_the_transition_March2015.pdf
Franke U, Holm H, König J (2014) The distribution of time to recovery of enterprise it services. IEEE Trans Reliab 63:858–867
Gai K, Qiu M, Elnagdy S (2016) A novel secure big data cyber incident analytics framework for cloud-based cybersecurity insurance. In: 2016 IEEE 2nd international conference on big data security on cloud (BigDataSecurity), IEEE international conference on high performance and smart computing (HPSC), and IEEE international conference on intelligent data and security (IDS, pp 171–176
Gallin L (2017) Re/insurance to take minimal share of $8 billion WannaCry economic loss: A.M. Best. In: ReinsuranceNews. https://www.reinsurancene.ws/reinsurance-take-minimal-share-8-billion-wannacry-economic-loss-m-best/. Accessed 31 Jul 2020
Gordon LA, Loeb M (2002) The economics of information security investment. ACM Trans Inf Syst Secur 5:438–457
Gordon L, Loeb M, Sohail T (2003) A framework for using insurance for cyber-risk management. Commun ACM 46:81–85
Heitzenrater CD, Simpson AC (2016) Policy, statistics and questions: Reflections on UK cyber security disclosures. J Cybersecur 2:43–56
Herath H, Herath T (2011) Copula-based actuarial model for pricing cyber-insurance policies. Insur Markets Companies Anal Actuarial Comput 2:7–20
Hoang DT, Wang P, Niyato D, Hossain E (2017) Charging and discharging of plug-in electric vehicles (pevs) in vehicle-to-grid (v2g) systems: a cyber insurance-based model. IEEE Access. https://doi.org/10.1109/ACCESS.2017.2649042
Hofmann A, Ramaj H (2011) Interdependent risk networks: the threat of cyber attack. Int J Manage Decision Making 11:312–323
Hofmann A, Rothschild C (2019) On the efficiency of self-protection with spillovers in risk. Geneva Risk Insur Rev 44:207–221
Hovav A, D’Arcy J (2003) The impact of denial-of-service attack announcements on the market value of firms. Risk Manag Insur Rev 6:97–121
Ponemon Institute (2017) 2017 cost of data breach study. Traverse City. https://www.ibm.com/downloads/cas/ZYKLN2E3
Jevtić P, Lanchier N (2020) Dynamic structural percolation model of loss distribution for cyber risk of small and medium-sized enterprises for tree-based LAN topology. Insur Math Econ 91:209–223
Johnson B, Böhme R, Grossklags J (2011) Security games with market insurance. In: Baras JS, Katz J, Altman E (eds) Decision and game theory for security. Springer, Berlin, Heidelberg, pp 117–130
Kamiya S, Kang J-K, Kim J et al (2020) Risk management, firm reputation, and the impact of successful cyberattacks on target firms. J Financ Econ. https://doi.org/10.1016/j.jfineco.2019.05.019
Kelly S, Leverett E, Copic J et al (2016) Integrated infrastructure: cyber resiliency in society: mapping the consequences of an interconnected digital economy. In: Centre for Risk Studies, University of Cambridge. https://www.jbs.cam.ac.uk/faculty-research/centres/risk/publications/technology-and-space/integrated-infrastructure-cyber-resiliency-in-society/
Lloyd’s (2015) Business blackout: The insurance implications of a cyber attack on the US power grid. https://www.lloyds.com/news-and-risk-insight/risk-reports/library/society-and-security/business-blackout. Accessed 31 Jul 2020
Mahalingam A, Coburn AW, Jung CJ, et al (2018) Impacts of severe natural catastrophes on financial markets. Centre for Risk Studies, University of Cambridge. https://www.jbs.cam.ac.uk/faculty-research/centres/risk/publications/natural-catastrophe-and-climate/impacts-of-severe-natural-catastrophes-on-financial-markets/
Maillart T, Sornette D (2010) Heavy-tailed distribution of cyber-risks. Eur Phys J B 75:357–364
Marotta A, McShane M (2018) Integrating a proactive technique into a holistic cyber risk management approach. Risk Manag Insur Rev 21:435–452
Marotta A, Martinelli F, Nanni S et al (2017) Cyber-insurance survey. Comput Sci Rev 24:35–61
McQueen M, Boyer W, Flynn M, Beitel G (2006) Time-to-compromise model for cyber risk reduction estimation. In: Gollmann D, Massacci F, Yautsiukhin A (eds) Quality of protection. Springer, New York, pp 49–64
Mukhopadhyay A, Chatterjee S, Saha D et al (2013) Cyber-risk decision models: to insure IT or not? Decision Support Syst 56:11–26
NetDiligence (2016) 2016 cyber claims study. Gladwyne, PA. https://netdiligence.com/wp-content/uploads/2016/10/P02_NetDiligence-2016-Cyber-Claims-Study-ONLINE.pdf
Nikolakopoulos T, Darra E, Tofan D (2016) The cost of incidents affecting CIIsSystematic review of studies concerning the economic impact of cyber-security incidents on critical information infrastructures (CII). In: ENISA, Herklion. https://www.enisa.europa.eu/publications/the-cost-of-incidents-affecting-ciis
Oughton E, Copic J, Skelton A et al (2016) Helios solar storm scenario. Centre for Risk Studies, University of Cambridge. https://www.jbs.cam.ac.uk/faculty-research/centres/risk/publications/technology-and-space/helios-solar-storm-scenario/
Pal R, Golubchik L, Psounis K, Hui P (2014) Will cyber-insurance improve network security? A market analysis. In: IEEE INFOCOM 2014—IEEE conference on computer communications, pp 235–243
Pooser DM, Browne MJ, Arkhangelska O (2018) Growth in the perception of cyber risk: evidence from US P&C insurers. Geneva Pap Risk Insur Issues Pract 43:208–223
Romanosky S (2016) Examining the costs and causes of cyber incidents. J Cyber Secur 2:121–135
Risk Management Solutions Inc. (2016) Managing cyber insurance accumulation risk. In: Centre for Risk Studies, Cambridge. https://www.jbs.cam.ac.uk/faculty-research/centres/risk/publications/technology-and-space/cyber-risk-outlook/managing-cyber-insurance-accumulation-risk-2016/
Romanosky S, Telang R, Acquisti A (2011) Do data breach disclosure laws reduce identity theft? J Policy Anal Manag 30:256–286
Romanosky S, Hoffman D, Acquisti A (2014) Empirical analysis of data breach litigation. J Empir Legal Stud 11:74–104
Ruffle SJ, Bowman G, Caccioli F et al (2014) Stress Test Scenario: Sybil Logic Bomb Cyber Catastrophe. In: Centre for Risk Studies, University of Cambridge. https://www.jbs.cam.ac.uk/faculty-research/centres/risk/publications/technology-and-space/sybil-logic-bomb-cyber-catastrophe-stress-test-scenario/
Schnell W (2020) Does cyber risk pose a systemic threat to the insurance industry? Working Paper University of St. Gallen. https://www.alexandria.unisg.ch/260003/
Schroeder B, Gibson GA (2010) A large-scale study of failures in high-performance computing systems. IEEE Trans Depend Secure Comput 7:337–350
Shackelford SJ (2012) Should your firm invest in cyber risk insurance? Bus Horiz 55:349–356
Shetty N, Schwartz G, Felegyhazi M, Walrand J (2010) Competitive cyber-insurance and internet security. In: Moore T, Pym D, Ioannidis C (eds) Economics of information security and privacy. Springer, Boston, pp 229–247
Shetty S, McShane M, Zhang L et al (2018) Reducing informational disadvantages to improve cyber risk management. Geneva Pap Risk Insur Issues Pract 43:224–238
Sinanaj G, Muntermann J (2013) Assessing corporate reputational damage of data breaches: an empirical analysis. BLED 2013 Proc 2013:29
Srinidhi B, Yan J, Tayi GK (2015) Allocation of resources to cyber-security: the effect of misalignment of interest between managers and investors. Decision Support Syst 75:49–62
Trautman LJ, Ormerod P (2019) Wannacry, ransomware, and the emerging threat to corporations. Tennessee Law Rev 86:505–556
Verizon LLC (2018) 2018 data breach investigations report. New York. https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf
Vernic R (2006) Multivariate skew-normal distributions with applications in insurance. Insur Math Econ 38:413–426
Vishwanath A, Harrison B, Ng YJ (2018) Suspicion, cognition, and automaticity model of phishing susceptibility. Commun Res 45:1146–1166
Wheatley S, Maillart T, Sornette D (2016) The extreme risk of personal data breaches and the erosion of privacy. Eur Phys J B 89:7
Woods DW, Moore T, Simpson AC (2019) The county fair cyber loss distribution: drawing inferences from insurance prices. Boston, MA
World Economic Forum (2010) The global competitiveness report 2010–2011. World Economic Forum, Geneva. https://www3.weforum.org/docs/WEF_GlobalCompetitivenessReport_2010-11.pdf
Xu M, Hua L (2019) Cybersecurity insurance: modeling and pricing. N Am Actuarial J 23:220–249
Xu M, Schweitzer KM, Bateman RM, Xu S (2018) Modeling and predicting cyber hacking breaches. IEEE Trans Inf Forensics Secur 13:2856–2871
Acknowledgements
I thank Sebastian Kimm-Friedenberg and Werner Schnell for their assistance in preparing this paper.
Funding
None.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The author(s) declare that they have no conflicts of interest.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Eling, M. Cyber risk research in business and actuarial science. Eur. Actuar. J. 10, 303–333 (2020). https://doi.org/10.1007/s13385-020-00250-1
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13385-020-00250-1